PDA

View Full Version : Routing question on 2 680's that are vpn'd together.



roveer
2016-11-05, 19:10
So I have 2 680's at 2 different locations. VPN is connecting them together.

Site 1: Main Network: 172.16.1.1
Site 1: Secondary Network defined on one of the lan ports: 10.1.1.1

Site 2: Main Network: 192.168.1.1

So at site 1 my workstations are all on the 172. network. They can ping and more importantly Remote Desktop Connection devices on the 10. network with no problems at all.

The problem is that at Site 2 I can't access anything on the 10. network. From Site 2 I can ping and RDC anything on the site 1 172. net without problems, just not anything on the site 1 10. network.

Is it possible to get to the 10. network from the 192. network? I would thing it should be.

I tried creating some 'routes' that said to get to the 10. network, you need to go to the 172 network, but nothing worked.

Do I need to create routes on both sides?

Any insight would be appreciated.

It's really great pulling data across these devices over FIOS at 75mbps. I'm soon going to to have 150mbps on both sides. It'll be screaming then!

Roveer

laf_c
2016-11-07, 05:39
Can you share full routing table on each device/location?

roveer
2016-11-07, 10:26
Can you share full routing table on each device/location?

Ignore the 192.168.200.0 & 192.168.201.0 networks for site 1, those are other subnets that I was using to separate devices from the 172.16.1.0 network at site 1.

Site 1
1173

Site 2
1174

laf_c
2016-11-08, 04:10
I wanted to see the routing table, because I wanted to make sure 10.x.. network is behind another interface and NOT configured as a secondary IP address.
Now this goes into one of the two:
- you have a firewall access/vpn misconfiguration
- there's some kind of box limitation (which we can know for sure just after we tshoot first option).

Back to no1:
- what SW version are you running?
- is this centrally managed or standalone deployment;
- can you share the encryption domain for site 1: does it contain both networks?
- do you have available vpn tu and vpn trunc utilities? we need to look into ike.elg file in concern to phase 2; what is the enc domain being sent by appliance on site 1, when you ping 192.168.x.y from 10.x network

roveer
2016-11-08, 12:00
Thanks for the detailed explanation. I'm sure we are probably going to find a mis-configuration. I was pretty lost when I was reading about encryption domains. I did all configuration using the gui.

sw version: R77.20.20 (990170830) a new version is available but I haven't had time to update both boxes and deal with the issue that might come of it. Last upgrade didn't go well.

stand-alone management.

Site 1 encryption domain.
1175

Tools: vpn tu and vpn trunc
It does appear I have these tools. I putty'd into box and issued both and got responses. If you can assist with some syntax and process I can provide the info.

I've captured an ike.elg while doing a ping from 10. to 192. I have ikeview. Can you tell me what/where to look for pertinent data. I don't want to post the file as it contains my public IP's.

Thanks,

laf_c
2016-11-09, 07:17
Thanks for the detailed explanation. I'm sure we are probably going to find a mis-configuration. I was pretty lost when I was reading about encryption domains. I did all configuration using the gui.

sw version: R77.20.20 (990170830) a new version is available but I haven't had time to update both boxes and deal with the issue that might come of it. Last upgrade didn't go well.

stand-alone management.

Site 1 encryption domain.
1175

Tools: vpn tu and vpn trunc
It does appear I have these tools. I putty'd into box and issued both and got responses. If you can assist with some syntax and process I can provide the info.

I've captured an ike.elg while doing a ping from 10. to 192. I have ikeview. Can you tell me what/where to look for pertinent data. I don't want to post the file as it contains my public IP's.

Thanks,

Hold on please!
Why don't you have 10.1.1.0/24 network present on the last attached print screen showing Encryption domain?

roveer
2016-11-09, 09:41
I noticed that too when I was posting the ED. Since I do all the configuring via the gui and the ED is set to manual I'm assuming that it doesn't automatically place any new subnets. I did throw it in yesturday as a quick test and it didn't seem to make a difference. I just looked, it's been in there overnight and I just tried from site 2 to site 1 and it still doesn't work.

Do I have to define the 10. network on site 2 router in any way?

roveer
2016-11-15, 19:58
Any ideas what I can/should do next? I did place this subnet into the routers Encryption Domain. Didn't seem to make a difference.

jflemingeds
2016-11-15, 23:26
Any ideas what I can/should do next? I did place this subnet into the routers Encryption Domain. Didn't seem to make a difference.

that missing 10. segment was for sure a major configuration issue. Did that change what you see in the logs? You should be looking on both firewalls.

any chance a nat is messing with things? There should be a option to disable nat on the vpn community as a test.

roveer
2016-11-17, 12:12
nat is disabled on both sides on the vpn configuration.

where should I be looking in the logs? The appliance logs usually don't provide much information. I did pull an ike.elg and I do have ikeview but I'm not sure how to interpret what I am seeing. A little info and I should be able to figure it out. I'm fairly resourceful and willing to work and learn.

Thanks,

Roveer

jflemingeds
2016-11-17, 12:41
nat is disabled on both sides on the vpn configuration.

where should I be looking in the logs? The appliance logs usually don't provide much information. I did pull an ike.elg and I do have ikeview but I'm not sure how to interpret what I am seeing. A little info and I should be able to figure it out. I'm fairly resourceful and willing to work and learn.

Thanks,

Roveer

Do a filter for the vpn blade in one session, attempt to send traffic to the 10.x and watch the logs on both firewalls.

If you don't see anything on the vpn blade that looks like a failed key exchange or something then look for hits on the ip of the 10.x host.

As far as ikeview, you're looking for anything that is red.

IPSEC has 2 phases and since you have a working connection between two networks that tells me phase 1 is good.

Real quick, phase 1 is basically just chatter between the peers.
phase 2 deals with what network is behind which peer.

My guess is if its a vpn connection failing is phase 2. Issues you might see is one firewall is advertising a subnet bigger then you expect, lots of history on this issue.

in ikeview you'll be able to see phase 2 stuff listed as P2. Then look on the right window for the subnets. If you don't see any red in ikeview my guess is there is a new issue. The 10.x subnet missing from the remote encryption domain is an issue.

I'll have to swing through your screen shots again. I'm pretty bad about missing stuff that was already posted.


Hopefully thats enough to get you back into looking at stuff. tcpdump or packet capture on the 10.x host might be usefult also. Maybe the traffic is really getting there but not going back for some reason.

jflemingeds
2016-11-17, 12:43
BTW can you show the remote encryption domain from both site 1 and site 2?

roveer
2016-11-18, 12:02
Absolutely. How do I see a "remote encryption domain"? I only see a "local encryption domain" from the GUI so I'm assuming I have to get it from the cli? Can you help with the command. I'm also looking for same as I write this.

Roveer

jflemingeds
2016-11-18, 12:13
Absolutely. How do I see a "remote encryption domain"? I only see a "local encryption domain" from the GUI so I'm assuming I have to get it from the cli? Can you help with the command. I'm also looking for same as I write this.

Roveer

VPN tab -> VPN sites -> edit the vpn -> Remote Site tab

scroll down to Remote Site Encrypton Domain.

So site 1 should show all of site 2's networks in this section

site 2 should show all of site 1's networks. Both sides should also be set to manual FYI.

roveer
2016-11-18, 12:22
I just found another encryption domain in the GUI. This one is called "remote access local encryption domain". It was set to automatic on both routers. Maybe it needs to be set to manual and subnets placed in each?

1177

roveer
2016-11-18, 12:29
VPN tab -> VPN sites -> edit the vpn -> Remote Site tab

scroll down to Remote Site Encrypton Domain.

So site 1 should show all of site 2's networks in this section

site 2 should show all of site 1's networks. Both sides should also be set to manual FYI.

THAT FIXED IT!!!

The site 2 only had the main 172 subnet of site 1. It didn't have the 10. subnet. I just added it on site 2's rem enc dom and I can now access that 10 network from site 2.

Many many thanks for helping me find my problem.

I'm guessing it was 2 fold. First, didn't have the 10 network in the local encryption domain and second I didn't have the 10 network in the remote encryption domain at site 2.

Again my thank,

Roveer

jflemingeds
2016-11-18, 12:53
THAT FIXED IT!!!

The site 2 only had the main 172 subnet of site 1. It didn't have the 10. subnet. I just added it on site 2's rem enc dom and I can now access that 10 network from site 2.

Many many thanks for helping me find my problem.

I'm guessing it was 2 fold. First, didn't have the 10 network in the local encryption domain and second I didn't have the 10 network in the remote encryption domain at site 2.

Again my thank,

Roveer

good to hear!